Cloud Security Firm Netskope Raises $340 Million at $3 Billion Valuation

Cloud Security Firm Netskope Raises $340 Million at $3 Billion Valuation

Cloud security company Netskope on Thursday announced that it has raised $340 million in a Series G funding round, valuing the firm at nearly $3 billion.

This funding round, which brings the total raised by the company to over $740 million, was led by new investor Sequoia Capital Global Equities, with participation from Canada Pension Plan Investment Board, PSP Investments, Lightspeed Venture Partners, Accel, Base Partners, ICONIQ Capital, Sapphire Ventures, Geodesic Capital and Social Capital.

“We’ll use this investment to continue to execute on our plan to dominate the largest market in security and accelerate global security transformation by innovating our platform and network and product set, and advancing our efforts to make our sales, marketing and post-sale efforts industry best,” Sanjay Beri, CEO and founder of Netskope, told SecurityWeek.

Netskope

Netskope offers a cloud security platform designed to help organizations manage risk, protect data, and block threats by providing full visibility and control, data loss prevention (DLP), and threat protection capabilities for their web, SaaS, and IaaS assets.

The company, which achieved unicorn status in 2018 after it raised over $168 million in a Series F funding round, claims it saw an 80 percent year-over-year growth in number of customers last year, including a quarter of Fortune 100 organizations.

Netskope also says its employee headcount increased by nearly 50 percent in the last year, and it expanded operations to Australia, Germany, Italy, Spain, Singapore, Mexico, Brazil, Chile and Colombia.

“Netskope has become the unrivaled leader driving innovation across cloud, data and network security, which makes up the largest part of today’s security market,” said Patrick Fu, managing partner at Sequoia Capital Global Equities. “Netskope is raising the bar for game changers who are successfully pushing beyond the limitations of existing technology to reshape a market. Sanjay and the entire Netskope team are on an incredible trajectory, and we are thrilled to partner with this talented team for the long term.”

Source: Cloud Security Firm Netskope Raises $340 Million at $3 Billion Valuation

Forescout Technologies to be Acquired in $1.9 Billion Deal

Forescout Technologies to be Acquired in $1.9 Billion Deal

Enterprise device security firm Forescout Technologies (NASDAQ:FSCT) announced on Thursday that it has agreed to be acquired by private equity firm Advent International in a deal valued at $1.9 billion.

Under the terms of the agreement, Advent will acquire all outstanding shares of Forescout common stock for $33.00 in cash, a premium of nearly 20% over Forescout’s closing share price on Feb. 5th.

There is a chance that Advent could be out bid for the cybersecurity firm, as the agreement includes a 30-day “go-shop” period that expires on March 8, 2020, and allows Forescout to solicit alternative acquisition bids from interested parties.

ForeScout logo ForeScout’s offerings help customers gain real-time network visibility into users, devices, systems and applications. Its platform helps IT organizations better understand their security posture and automate responses to a wide variety of security issues.

Upon completion of the transaction, Forescout will become a private company led by current CEO and President Michael DeCesare and continue to be headquartered in San Jose, California.

“We are still in early innings of a large market opportunity as every organization needs visibility into what is connecting to their network and how to mitigate against high risk devices, including non-traditional IoT and OT devices,” said DeCesare. “This transaction represents an exciting new phase in the evolution of Forescout.”

In 2016, Forescout raised $76 million in funding at a $1 billion valuation, and became a public company after its initial public offering (IPO) in October 2017.

In November 2018, Forescout acquired operational technology (OT) network security firm SecurityMatters for approximately $113 million in cash to expand its industrial cybersecurity offerings.

Assuming Advent is not outbid, the transaction is expected to close in the second calendar quarter of 2020, subject to customary closing conditions.

Advent is joined by private equity firm Crosspoint Capital Partners as a co-investor and advisor.

Forescout had $336.8 million in revenue in 2019, an increase of 13% over 2018, according to its latest financial results released Thursday.

Source: Forescout Technologies to be Acquired in $1.9 Billion Deal

New Public Company SCVX Formed to Acquire Cybersecurity Firms

New Public Company SCVX Formed to Acquire Cybersecurity Firms

World’s First Cybersecurity Special Purpose Acquisition Company (SPAC) to Build a New Cybersecurity Platform

Cybersecurity-focused venture capital firm Strategic Cyber Ventures (SCV) has announced the initial public offering (IPO) of SCVX — the world’s first cybersecurity-focused Special Purpose Acquisition Company (SPAC).

An SPAC is a financial vehicle designed to raise money for the purpose of acquiring an existing company (or in this case, companies). It is a publicly traded company formed from money raised through an IPO. Shareholders in the SPAC become shareholders in the acquired companies.

Cybersecurity SPAC: IPO rules cyberseccurity acquisitionsThe SCVX IPO has been priced at $200 million, and SCVX is now listed on the New York Stock Exchange. Credit-Suisse is the sole book-running manager, and will provide the prospectuses through which the offering is made.

SCVX now has 24 months to find an asset for purchase. When found, the potential purchase is taken to a share-holder vote. If approved, the asset purchase is acquired from the capital raised in the IPO. In theory, an asset could go from start-up with promise to a public company instantly. The first target, however, will be an existing company with proven pedigree that lies somewhere between venture capital investment and going public. It is worth noting, for example, that SCV’s existing portfolio of companies are all too early stage or Series A investments to be considered for purchase by the new SVCX.

The ability of the SPAC’s Board to find a new company or companies and recognize evolving trends is vital to the future of the company — and the SCVX line-up includes a recent director of national intelligence, the current CISO from the Bank of New York, a former Goldman Sachs managing director, and a former chief security scientist from the Bank of America.

SecurityWeek talked to Mike Doniger (SCVX CEO) and Hank Thomas (SCVX CTO) about the direction and purpose of the new SPAC. “Some SPACs,” Doniger explained, “are broad in nature, saying they will buy an industrial company or an energy company. We’ve taken a different approach, with the targeted purpose of buying a cybersecurity firm.”

The purpose goes beyond this. The team sees a problem in the cybersecurity market which it hopes to help solve. The market is fractured, with new startups with new ideas every week. There are too many niche vendors that address one or two threat vectors without scaling across all the threat vectors that need to be addressed; and the result is that larger enterprises can use up to a hundred different security products to defend their networks and data. This causes multiple problems: potential gaps between products; overlapping, costly and redundant security in some areas; and unnecessary cost in money and time to make best use of so many different products.

The business plan for many of the startups is simply to be acquired by existing large companies with existing security platforms. This helps control the overall spread of security vendors, but is not very efficient. New technology must be bolted on, or integrated into, older technology — and it is not always an easy fit. The need, suggests Doniger and Thomas, is for a new platform to absorb new ideas and cover a wider area of cybersecurity to reduce enterprise reliance on too many point products. Finding the new platform is the first task.

“We’ve got to the point where the current marketplace is madness,” commented Thomas. “Some sort of consolidation is going to occur. I see our SPAC as a vehicle to build a revolutionary platform for the cybersecurity industry. In the not-too-distant future I see the number of vendors in the CISO landscape going from 75 to 100 down to 25 to 30 with a couple of major platforms — one of which we intend to build through the SVCX SPAC vehicle. The timeline is this. First, we find our initial business combination, which is a platform security company already based on next-generation technologies that will allow it to be cloud native. Then, we inject it with the capital it needs to innovate and make additional acquisitions down the line. The new acquisitions will complement the core technology of the cornerstone platform we’ve chosen.”

“We are targeting companies that have achieved critical mass in the cybersecurity industry globally, with enterprise valuations in the range of $600 million to $1.5 billion,” Thomas commented in a LinkedIn post.

The theory is relatively simple. The best security solution is not to bolt new technology on to old, but to build a new integrated platform entirely using new technology. The SPAC will first find and acquire the cornerstone technology, and then that company will expand its offerings through the acquisition of new, small and innovative products.

The SCVX SPAC is a vehicle for bringing new finance to the marketplace so that a new solution can be found and developed. It would be impossible for a single platform to solve all security needs — identity and access management is entirely different to endpoint security. Nevertheless, said Thomas, if you consider a CISO might have a hundred parts to his security requirements, “we would like to build a cornerstone platform that starts out with managing 25% of the average CISO’s attackable surface, and then build on it from there.”

*Updated with additional comment from SCV’s Thomas

Source: New Public Company SCVX Formed to Acquire Cybersecurity Firms

Apple Patches Tens of Vulnerabilities in iOS, macOS Catalina

Apple Patches Tens of Vulnerabilities in iOS, macOS Catalina

Apple this week released software updates to address tens of security flaws in iOS, iPadOS, macOS Catalina, and other products.

A total of 23 vulnerabilities were addressed in iOS 13.3.1 and iPadOS 13.3.1, now rolling out for iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation.

The flaws impact components such as Audio, FaceTime, ImageIO, IOAcceleratorFamily, IPSec, Kernel, libxpc, Mail, Messages, Phone, Safari Login AutoFill, Screenshots, and wifivelocityd.

Successful exploitation of most of these issues could result in arbitrary code execution with kernel or system privileges, Apple explains in its advisory.

Other flaws, however, could lead to leaking restricted memory, determining kernel memory layout, heap corruption, privilege escalation, unauthorized access to contacts from the lock screen, or passwords being sent unencrypted over the network.

iOS 13.3.1 also “adds a setting to control the use of location services by the U1 Ultra Wideband chip,” Apple explains in the platform’s release notes. This setting allows users to completely turn off location checks on their devices, which was not possible before due to the ultra-wideband technology.

Apple also released iOS 12.4.5 this week, for iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch 6th generation, but says that no CVEs were included in the update.

There were 32 vulnerabilities addressed with the release of macOS Catalina 10.15.3 and security updates for macOS Mojave and High Sierra — the patches apply to macOS High Sierra 10.13.6, macOS Mojave 10.14.6, and macOS Catalina 10.15.2.

Impacted components include AnnotationKit, Audio, autofs, CoreBluetooth, Crash Reporter, Image Processing, ImageIO, Intel Graphics Driver, IOAcceleratorFamily, IPSec, Kernel, libxml2, libxpc, PackageKit, Security, sudo, System, Wi-Fi, and wifivelocityd.

Apple says the bugs could be exploited to execute arbitrary code on an affected system, determine kernel memory layout, read restricted memory, trigger a heap corruption, overwrite files, or bypass Gatekeeper, among others.

watchOS 6.1.2 was released with patches for 15 vulnerabilities in AnnotationKit, Audio, ImageIO, IOAcceleratorFamily, Kernel, libxpc, and wifivelocityd. These could lead to code execution, privilege escalation, heap corruption, or could allow an application to read restricted memory.

The newly released tvOS 13.3.1 includes patches for 14 vulnerabilities in Audio, ImageIO, IOAcceleratorFamily, IPSec, Kernel, libxpc, WebKit, and wifivelocityd, which could lead to arbitrary code execution, privilege escalation, or heap corruption, or could allow applications to read restricted memory or determine kernel memory layout.

Safari 13.0.5 was released with fixes for two security flaws that could result in address bar spoofing when visiting a malicious website, or in a local user unknowingly sending a password unencrypted over the network.

This week, Apple also released iTunes 12.10.4 for Windows, which addresses an issue that could result in a user gaining access to protected parts of the file system.

Source: Apple Patches Tens of Vulnerabilities in iOS, macOS Catalina

Flexible tech harvests body heat to power health wearables

Flexible tech harvests body heat to power health wearables

A flexible device can harvest the heat energy from the human body to monitor health, researchers report.

The device surpasses all other flexible harvesters that use body heat as their sole energy source.

In a paper in Applied Energy, the researchers report significant enhancements to the flexible body heat harvester they first reported in 2017. The harvesters use heat energy from the human body to power wearable technologies—think of smart watches that measure your heart rate, blood oxygen, glucose, and other health parameters—that never need to have their batteries recharged. The technology relies on the same principles governing rigid thermoelectric harvesters that convert heat to electrical energy.

Flexible harvesters that conform to the human body are highly desired for use with wearable technologies. Superior skin contact with flexible devices, as well as the ergonomic and comfort considerations to the device wearer are the core reasons behind building flexible thermoelectric generators, or TEGs, says corresponding author Mehmet Ozturk, a professor of electrical and computer engineering at North Carolina State University.

The performance and efficiency of flexible harvesters, however, currently trail well behind rigid devices, which have been superior in their ability to convert body heat into usable energy.

“The flexible device reported in this paper is significantly better than other flexible devices reported to date and is approaching the efficiency of rigid devices, which is very encouraging,” Ozturk says.

The proof-of-concept TEG originally reported in 2017 employed semiconductor elements that were connected electrically in series using liquid-metal interconnects made of EGaIn—a nontoxic alloy of gallium and indium. EGaIn provided both metal-like electrical conductivity and stretchability. Researchers embedded the entire device in a stretchable silicone elastomer.

The upgraded device employs the same architecture but it significantly improves the thermal engineering of the previous version, while increasing the density of the semiconductor elements responsible for converting heat into electricity. One of the improvements is an improved silicone elastomer—essentially a type of rubber—that encapsulates the EGaIn interconnects.

“The key here is using a high thermal conductivity silicone elastomer doped with graphene flakes and EGaIn,” Ozturk says. The elastomer provides mechanical robustness against punctures while improving the device’s performance.

“Using this elastomer allowed us to boost the thermal conductivity—the rate of heat transfer—by six times, allowing improved lateral heat spreading,” he says.

Ozturk adds that one of the strengths of the technology is that it eliminates the need for device manufacturers to develop new flexible, thermoelectric materials because it incorporates the very same semiconductor elements used in rigid devices. Ozturk says future work will focus on further improving the efficiencies of these flexible devices.

The research group has a recent patent on the technology. Funding for the work came from the NC State’s National Science Foundation-funded Advanced Self-Powered Systems of Integrated Sensors and Technologies Center.

Source: NC State

The post Flexible tech harvests body heat to power health wearables appeared first on Futurity.

Source: Flexible tech harvests body heat to power health wearables

Liquid Metal Biosensors for Healthcare Monitoring

Liquid Metal Biosensors for Healthcare Monitoring

Flexible biosensors are a popular new field of research. Soft pressure sensors are of particular interest because there are many applications for them in healthcare. Most flexible pressure sensors are based on solid-state components that tend to rely on carbon nanotubes and graphene. Carbon nanotubes or graphene flakes are seeded through a stretchy material to maintain conductivity while being squeezed and pulled, but the signal that is passed through changes when the material is deformed. This makes sensing using such materials somewhat inaccurate. Now researchers at KAIST, South Korea’s institute of science and technology, have been able to use a liquid metal to make highly accurate flexible pressure sensors that can be manufactured relatively inexpensively.

Liquid metals, such as Galinstan, an alloy of gallium, indium, and tin, have been tried inside flexible pressure sensors but the devices produced were not sensitive enough to detect heartbeats and other biological signals. The KAIST team created a 3D printed sensor that integrates liquid metal and a rigid microbump array to produce accurate, highly sensitive pressure readings.

The 3D printing makes manufacturing of such devices relatively easy, specifically the integration of the microbump array and a channel for the liquid metal. The capability allows for high sensitivity, enough to detect heartbeats on the skin, and a signal drift next to nonexistent, even after 10,000 stretching cycles.

These sensors can withstand moisture and other environmental variables and have already been integrated into a proof-of-concept wristband that monitors the pulse rate, heel pressure monitor, and as a non-invasive blood pressure sensor that estimates BP readings based on pulse travel times.

“It was possible to measure health indicators including pulse and blood pressure continuously as well as pressure of body parts using our proposed soft pressure sensor,” said Inkyu Park, the senior author of the study published in journal Advanced Healthcare Materials. “We expect it to be used in health care applications, such as the prevention and the monitoring of the pressure-driven diseases such as pressure ulcers in the near future. There will be more opportunities for future research including a whole-body pressure monitoring system related to other physical parameters.”

Study in Advanced Healthcare Materials: Wearable Sensors: Highly Sensitive and Wearable Liquid Metal‐Based Pressure Sensor for Health Monitoring Applications

Via: KAIST

TrendMD v2.4.6

Source: Liquid Metal Biosensors for Healthcare Monitoring

AI-based Document Classification Firm Concentric Emerges From Stealth

AI-based Document Classification Firm Concentric Emerges From Stealth

Concentric Emerges from Stealth with AI Document Classification Product and $7.5 Million Seed Funding

Unstructured documents — especially those that have been given wrong or no sensitivity classification — are among the most difficult assets for any enterprise to track and secure. Problems come from staff inappropriately sharing and insecurely storing documents. Ensuing threats go beyond the compliance concern of leaking personal data, and include the danger of sensitive commercial data falling into the wrong hands.

San Jose-California based Concentric has emerged from stealth with the availability of a new deep learning solution called Semantic Intelligence. It uses language analysis to determine the sensitivity of individual documents to help solve and prevent this problem. At the same time, Concentric has raised $7.5 million seed funding from Clear Ventures, Engineering Capital, Homebrew and Core Ventures. Concentric was founded in 2018.

Concentric Raises $7.5 millionIn a separate report (PDF) published January 29, 2020, Concentric provides the result of analyzing 26 million unstructured documents from companies in the technology, financial and healthcare sectors. It found that each company has just short of 10 million unstructured documents. Each employee owns almost 2,000 documents. Among these, each employee owns 253 business critical documents — and among these, 38 documents per employee are at risk. Over 627,000 source code files and over 1 million trading files were also found.

But Concentric did not simply find files that were at risk, it found files that were actually risked. Per employee, five business critical documents were erroneously shared with an external party. Twenty-one were improperly shared with other groups. Nine were erroneously shared with internal users. And three business critical documents were wrongly classified.

Manual classification of this volume of documents requires extensive staff training and is prone to error. Manual classification done in arrears is so costly and time-consuming that it is a project often delayed, sometimes indefinitely. Existing automated rule-based methods of searching documents for key words or phrases leads to large numbers of false positives, causing many documents to be over-classified and reducing the general availability of data to the company.

Concentric brings deep learning language analysis that can analyze context. It can tell the difference, for example, between a personal email quoting the dollar-value of a home, and the dollar-figure quoted in sales or M&A documents.

“Discovering and protecting unstructured data is a huge problem,” Concentric CEO and founder Karthik Krishnan told SecurityWeek. “The challenge is that this data is complex: contracts, NDAs, source code, design documents, and so on. Traditional methods of discovery have relied on using word patterns, but this lacks the context to be able to accurately classify the document. The result is that most companies don’t know where their high value assets are.”

Meanwhile, he continued, “deep learning has progressed to the point where it can both solve problems at scale and do it with a degree of precision. What we have built is a system that uses a deep learning language model to develop a semantic level of understanding of the context. We can look at both the words and how they are used within the broader context of a document to understand the meaning. This allows us, in a completely unsupervised manner, to build thematic groups, putting contracts, design documents, NDAs into their own groups.”

By then analyzing and comparing documents within their groups, he explained, the Semantic Intelligence product can understand “how the data has been identified or classified or shared across the business units to provide a risk-based view over that data. The idea is that business-critical data combined with how it has been shared, whether it has been shared with the right sets of people, provides a view into the risk. We could compare a design document with another design document and look for signs of risky sharing where a document might have been shared inappropriately. This is all autonomously derived without a single rule or regular expression or a policy function that needs to be defined up front. It’s all driven by the thematic groupings that we build using our deep learning models. The goal is to help companies discover and protect their unstructured data.”

Semantic Intelligence uncovers, categorizes and classifies the documents, and allows IT and security teams to monitor data security with timely information and risk visualizations that drill down into the at-risk documents. The solution also integrates with major third-party security and data stores to help customers leverage the security investments they already have in place.

“Businesses understand the importance of protecting their critical assets, and yet, despite their best efforts, an extreme amount of data is left unsecured, unidentified, misclassified and at risk,” said Krishnan. “Unstructured data is currently copious and dispersed, and it includes an alarming amount of business-critical information. It’s a target for cybercriminals and can be a pitfall for regulatory compliance, but securing it is incredibly difficult. It’s the data challenge of our digital generation that we’re laser-focused on solving.”

Source: AI-based Document Classification Firm Concentric Emerges From Stealth

Hackers Steal Employee and Corporate Information From Mitsubishi Electric

Hackers Steal Employee and Corporate Information From Mitsubishi Electric

Personal and corporate information was stolen from electronics and electrical equipment manufacturing company Mitsubishi Electric during a data breach that occurred last year.

In a notice published on Monday, the Japanese company confirmed not only that its network was breached, but also that the attackers may have accessed some personal and confidential corporate information.

The manufacturer revealed that it discovered suspicious behavior on a system on June 28 last year, and that it immediately restricted external access.

The company says its internal investigation has confirmed that “sensitive information on social infrastructure such as defense, electric power, and railways, highly confidential technical information, and important information concerning business partners” hasn’t been stolen.

The company has also revealed that the attackers were careful enough to erase their tracks, which made the compromise difficult to detect on some systems.

Mitsubishi Electric estimates that the hackers exfiltrated around 200MB of data, including employment application information on 1,987 people, employee information on 4,566 people, and information on 1,569 retired employees of affiliated companies.

Confidential technical materials, sales materials, and other trade secrets might have been leaked as well, the company reported.

The manufacturer said it started sending notices of the data breach on January 20, and it is also informing customers about the potential leak of trade secrets. Authorities have been alerted as well.

To access the company’s network, the attackers apparently targeted a vulnerability in an anti-virus product before a patch was released.

According to Japanese newspapers, the attackers gained access to the company’s systems via hijacked email accounts, after initially compromising a China-based affiliate. The hackers had apparently compromised over 120 systems at 14 locations.

Asahi Shimbun reports that data on 10 public and government agencies was stolen during the attack, along with data on the Ministry of Defense, the Ministry of the Environment, the Cabinet Office, the Nuclear Regulatory Commission, and the Agency for Natural Resources and Energy.

The attack is supposedly the work of China-linked hacking group Tick, which has been known to target large companies through their Chinese subsidiaries. Over the past few years, the threat actor has targeted various organizations in Japan and South Korea.

“While the type of data breached is unclear, knowing that Mitsubishi Electric is a top contractor for Japan’s military and infrastructure, this breach is especially concerning. Enterprises and organizations that regularly handle sensitive and confidential data must understand the serious risks associated with a breach of that information and leverage Zero Trust security strategies, where organizations ‘never trust, but always verify’ entities outside and inside their network,” Ben Goodman, CISSP and SVP of global business and corporate development at ForgeRock, told SecurityWeek in an emailed comment.

“To avoid a fate similar to that of Mitsubishi Electric, companies must understand the importance of security solutions that provide full visibility and control over their data. In other words, they must implement tools that detect and remediate misconfigurations, enforce real-time access control, encrypt sensitive data at rest, manage the sharing of data with external parties, and prevent the leakage of sensitive information,” Anurag Kahol, CTO of Bitglass, commented via email.

Source: Hackers Steal Employee and Corporate Information From Mitsubishi Electric

2020 Rings in a New Era of Cyber Attacks – and it’s Getting Personal

2020 Rings in a New Era of Cyber Attacks – and it’s Getting Personal

Recently, I finished a great audiobook by the famed hacker Kevin Mitnick, called “Ghost in the Wires”, where he details his exploits in using social engineering techniques to hack phone systems. For the most part, he used old school methods that involved research, cold calling and convincing people he should have access to their systems. Success was predicated on his skill in manipulation – and the fact that most people inherently want to trust others.

Fast forward to 2020 and social engineering is essentially the same, relying on the techniques pioneered by Mitnick and his peers. The major differences now are that technology and scale play a greater part in the success of today’s attacks.

In a few of my recent articles, I warned about the growth potential for attacks in the coming year and explored some of the methods being adopted by attackers that use technology to ensure greater success.

Many of us are familiar with the two most common types of socially engineered attacks – phishing and spear-phishing – but there are many more to be aware of, including:

Baiting, for example. The age-old story of a hacker leaving a USB device in a carpark, hoping that someone will pick it up and connect to their computer, may sound like the stuff of Hollywood, but it is a surprisingly common attack that has even been used successfully on USB devices given away at computing conferences. Once connected, the USB device will appear to be safe, perhaps containing music or videos. However, it is instead attempting to inject malicious software into the host device.

So, how can a baiting attack be avoided? By never blindly connecting an unknown USB device to your computer. If you do decide to trust the device, make sure you have the latest anti-virus software installed and set to “scan connected devices automatically” to prevent known malware infections.

Pretexting covers several different attacks using emails, texts or phone calls. The attacker will pose as an authority with the intention of leveraging this authority to gain access to private, corporate or personal high value information. For example, in an attack, the target could first be emailed by a family member who says they need money, followed by an urgent text. This is a dangerous attack as it heavily exploits, and ultimately damages, trust.

Verification is the best way to avoid a pretexting attack. As much as we want to trust managers, friends and family members, if you get an unexpected and urgent call pressuring you to provide information or money, take extra steps to verify the request. Hang up and call back on a known number or have the caller provide some information which they would only know if they were genuine.

Tailgating allows an attacker to gain access to a building or a restricted area and is easily executed. For instance, a stranger follows you into the office carrying a heavy box and asks if you can “badge” them in. Or, an unknown person scrambles in behind you, saying “brrr it’s cold outside! I’m glad to get out of the rain.” Either could be a tailgater or present a risk. They are relying on the fact that people want to be helpful and that by appearing to be familiar, they are less likely to be questioned.

Want to avoid a tailgating scenario? If someone asks you to let them in, make sure to escort them to reception – or use their badge to activate the door. Do not rely solely on trust.

Scareware is another successful tactic in recent years, using desktop popups and messages to communicate a fake virus infection warning. Sometimes these messages even appear to be legitimately coming from security companies. Less common, but similar, is to receive the infection message in an email, purporting to come from your internet or security software provider. In both cases, clicking on the message will redirect to a software portal, offering the right software to remove the malware for a cost. At this stage, payment will result in two things: fake antivirus software being installed – or, possibly even malware – and stolen financial information.

Practice caution to avoid scareware. A popup or email stating that you’ve been infected by malware and offering a “click here” fix is likely fake and attempting to scare victims into engaging. Make sure to have the latest antimalware installed, along with the most recent operating system security updates. Never click on unknown popups or emails.

Socially engineered attacks are especially nasty and effective because they rely upon natural human responses to be successful; anyone can be a victim at any time. As both cybercriminals and technology get smarter, the public must also adapt. Educate consumers and employees on the risks and warning signs of these attacks. The idea is to not simply “trust no one;” rather, be cautiously suspicious and train yourself to sniff out the (ph)ishy.

The More Authentication Methods, the Merrier

The More Authentication Methods, the Merrier

An Increasingly Diverse, Dynamic Workforce Is Driving Dramatic Change in How Users Authenticate

Remember when being part of an organization’s workforce meant being an employee of that organization, and being “at work” meant sitting in an office at a desktop? In today’s digital age, the latter hasn’t been the case for many people for quite a long time, and in the growing gig economy, the former is becoming less and less common. The workforce is growing more distributed, diverse and dynamic every day, which is driving dramatic change in who’s working, where they’re working, and how they’re connecting with the resources they need to do their work. And if you’re in the business of enabling those connections, it’s driving dramatic change for you.

There are not only more users, but also more kinds of users working in more places, all needing to authenticate in a way that keeps resources secure without making access unduly difficult or time-consuming. And there’s the rub: There’s no one way to achieve that. You need an authentication solution that allows you to authenticate users in multiple ways, both to meet different users’ needs for convenient access and to make multi-factor authentication possible for security purposes. I touched on this in an earlier column about how to evaluate and choose authentication methods; now, let’s take a closer look at some examples of diverse users and their needs, and at what an authentication solution must deliver to meet those needs.

Meet Greg, the Fast-Moving Sales Exec Who’s Never in One Place for Long

We all know this type of user, who is constantly on the go and relies almost entirely on a mobile phone or tablet for access. To make that access easy for him, and secure for the organization, authentication methods that are made for mobility make the most sense. After all, if he has a device in his hand all the time, why not take advantage of it for authentication purposes? Phone-based biometrics, like fingerprint or face recognition, make it easy for this kind of user to quickly authenticate and connect. And on the rare occasions when he needs access through an office workstation or laptop, all he has to is walk up to it for the device to unlock; as long as he has his authenticating mobile device at hand, proximity authentication does the rest.

Then There’s Judy, Who’s Only in One Place… and Can’t Use a Mobile Device There

Mobile authentication may work perfectly for Greg, but it’s not an option for Judy, a helpdesk representative who works in a call center where mobile devices are prohibited. In this scenario, a physical authenticator like an employer-issued USB security key may be ideal. Hardware-based one-time passcode (OTP) keys may also be great options. There’s also a place for risk-based authentication that takes location into account. Since Judy works in the same building and at the same workstation every day, as long as she logs in from that workstation, she can be quickly authenticated using location services that confirm where she is. This makes authenticating quick and simple, yet secure for the organization. If there’s ever an attempt to log in from a different location using Judy’s credentials, an additional layer of authentication could be required to prove the person attempting to log in is really her. Or the organization could elect to have access automatically denied when a request comes from a different location – which would be reasonable in this case, since Judy only works from one location, without exception.

And Let’s Not Forget the Contractor Who Relies Entirely on Devices You Don’t Control

What about contractors or gig workers who aren’t traditional employees? How do you provide them with the access they require, absent direct control of the devices they’re using to access your organization’s resources? This is a perfect use case for a hardware or software token. A hardware token-based one-time passcode, or a software app that generates passcodes on a mobile phone, will make it possible for non-employees to prove they are who they say they are, no matter what devices they use for access.

Hardware- and software-based OTP solutions also work well for all types of users in environments with no network or internet connectivity. They’re ideal replacements for desktop passwords when the work environment provides no easy way for laptop, desktop or infrastructure components to connect to remote authentication services. In fact, I’m writing this on a flight that has limited Wi-Fi capabilities, and I was able to use my trusty software OTP on my iPhone (in airplane mode) to securely log into my laptop. This is especially important at a time when a lot of attention is paid to protecting connections to web-based applications or cloud-based SaaS applications. We all need to remember the critical nature of information that exists on people’s devices, including laptops, and the need to protect that information.

As the examples above illustrate, diversity in the workforce drives the need for diversity in authentication. As the workforce continues to evolve, a one-size-fits-all approach won’t work for different identity and access management needs across organizations. Managing access in ways that keep diverse users productive and engaged while also keeping your organization’s information secure will continue to be a challenge. Meeting that challenge depends on identity teams understanding the needs of different users and choosing a solution that provides a unified platform for secure enrollment, flexible choices for authentication and identity assurance, and features to reduce the burden on the IT help desk when users lose their credentials or obtain new mobile devices. Keep in mind, too, that adding a layer of risk-based authentication to augment all the options for authentication can further increase security and also reduce user friction.

In my next column, I’ll share ways risk-based authentication can make access experiences better for all the users I’ve described here. As always, awareness is the first step, and I hope the information provided is helpful to you in your journey.

Source: The More Authentication Methods, the Merrier